Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: sb5957.htm

Tomcat information exposure and cross site scripting



30th Jan 2003 [SBWID-5957]
COMMAND

	Tomcat information exposure and cross site scripting

SYSTEMS AFFECTED

	Tomcat version 3.x.

PROBLEM

	In Debian Security Advisory [DSA 246-1] :
	
	 http://www.debian.org/security/
	
	The  Common  Vulnerabilities  and  Exposures  project   identifies   the
	following problems:
	
	 . CAN-2003-0042: A maliciously crafted request could return a
	   directory listing even when an index.html, index.jsp, or other
	   welcome file is present.  File contents can be returned as well.
	
	 . CAN-2003-0043: A malicious web application could read the contents
	   of some files outside the web application via its web.xml file in
	   spite of the presence of a security manager.  The content of files
	   that can be read as part of an XML document would be accessible.
	
	 . CAN-2003-0044: A cross-site scripting vulnerability was discovered
	   in the included sample web application that allows remote attackers
	   to execute arbitrary script code.

SOLUTION

	For the stable distribution (woody)  this  problem  has  been  fixed  in
	version 3.3a-4.1.
	
	The old stable distribution (potato) does not contain tomcat packages.
	
	For the unstable distribution (sid)  this  problem  has  been  fixed  in
	version 3.3.1a-1.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH